IE9 vs. Chrome vs. Firefox vs. Safari at Pwn2Own 2011

IE9

Pre-release versions of the latest major iterations of browsers from Microsoft, Google, Mozilla and Apple will come under attack in March at CanSecWest’s 5th annual Pwn2Own competition sponsored by the Zero Day Initiative (ZDI) team from HP TippingPoint.

Pre-registration is already opened for the 12th annual CanSecWest conference (March 9-11 2011 in Vancouver, British Columbia.)

According to Aaron Portnoy, the Manager of the Security Research Team at TippingPoint Technologies, this year’s prizes have grown to no less than $125,000.

And as it is tradition for the security event, browsers will come under fire, with researchers that will attempt to “own” their victims in less than 30 minutes.

Fact is that, judging by the previous hack attempts at CanSecWest’s Pwn2Own contest, 30 minutes might as well be a lifetime since security researchers compromised their targets in a matter of a few minutes at most.

“This year the web browser targets will be the latest release candidate (at the time of the contest) of the following products: Microsoft Internet Explorer, Apple Safari, Mozilla Firefox, Google Chrome. Each browser will be installed on a 64-bit system running the latest version of either OS X or Windows 7,” Portnoy explained.

Most likely, security researchers will attempt to own the Release Candidate (RC) of Internet Explorer 9 (IE9) which seems right on track for launch on February 10, 2011.

It’s also highly possible that Mozilla’s Firefox 4.0 will be another target, since it’s hard to believe that the open source browser vendor will wrap up the successor of Firefox 3.6 by then.

In addition, Chrome 10 is the likely version of Google’s open source browser that will put to test.

The researchers that successfully break their target browser get to walk away with the device they hack, including machines such as Sony Vaio with Windows 7, Alienware m11x with Windows 7, Apple MacBook Air 13" with Mac OS X Snow Leopard, and Google CR-48 running ChromeOS (this particular computer is in the contest just as a prize).

“As for Chrome, the contest will be a two-part one. On day 1, Google will offer $20,000 USD and the CR-48 if a contestant can pop the browser and escape the sandbox using vulnerabilities purely present in Google-written code.

“If competitors are unsuccessful, on day 2 and 3 the ZDI will offer $10,000 USD for a sandbox escape in non-Google code and Google will offer $10,000 USD for the Chrome bug. Either way, plugins other than the built-in PDF support are out of scope,” he added.